Site icon News Update

Some Photo-Cropping Apps Are Exposing Your Secrets

Some Photo-Cropping Apps Are Exposing Your Secrets

At the beginning of March, Google released an update for its flagship Pixel smartphones to patch a vulnerability in the devices’ default photo-editing tool, Markup. Since its 2018 introduction in Android 9, Markup’s photo-cropping tool had been quietly leaving data in a cropped image file that could be used to reconstruct some or all of the original image beyond the confines of the crop. Though now fixed, the vulnerability is significant because Pixel users have for years been making, and in many cases presumably sharing, cropped images that may still contain the private or sensitive data the user was attempting to eliminate. But it gets worse.

The bug, dubbed “aCropalypse,” was discovered and originally submitted to Google by security researcher and college student Simon Aarons, who collaborated on the work with fellow reverse engineer David Buchanan. The pair were stunned to discover this week that a very similar version of the vulnerability is also present in other photo-cropping utilities from a totally separate yet equally ubiquitous codebase: Windows. The Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool are vulnerable in cases where a user takes a screenshot, saves it, crops the screenshot, and then saves the file again. Photos cropped with Markup, meanwhile, retained too much data even when the user applied the crop before first saving the photo. 

Microsoft told WIRED on Wednesday that it is “aware of these reports” and that it is “investigating,” adding, “we will take action as needed.”

“It was pretty mind-blowing really, it was as if lightning had just struck twice,” says Buchanan. “The original Android vulnerability was already surprising enough that it hadn’t been discovered already. It was quite surreal.”

Now that the vulnerabilities are out in the open, researchers have started uncovering old discussions on programming forums where developers noticed the odd behavior of the cropping tools. But Aarons seems to have been the first to recognize the potential security and privacy implications—or at least the first to bring the findings to Google and Microsoft.

“I actually noticed it at about 4 in the morning by total accident when I spotted that a small screenshot I sent of white text on a black background was a 5 MB file, and that didn’t seem right to me,” Aarons says.

Images impacted by aCropalypse often can’t be completely recovered, but they can be substantially reconstructed. Aarons provided examples, including one in which he was able to recover his credit card number after he attempted to crop it out of a photo. In short, there is a population of photos out there that contain more information than they should—specifically, information that someone intentionally tried to remove.

Microsoft hasn’t issued any fixes yet, but even those released by Google don’t mitigate the situation for existing image files cropped in the years when the tool was still vulnerable. Google points out, though, that image files shared on some social media and communication services may automatically strip out the errant data.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! NewsUpdate is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@newsupdate.uk. The content will be deleted within 24 hours.
Exit mobile version